[OTR-users] wiretapping

Ian Goldberg ian at cypherpunks.ca
Sun Jun 5 14:24:28 EDT 2005


On Sun, Jun 05, 2005 at 01:37:48PM -0400, brian.krebs at washingtonpost.com wrote:
> So if the person I'm chatting with and I both have the OTR plugin installed,
> and are using it in our conversations, would it be possible for the IM 
> provider - say AOL e.g. - to eavesdrop on or offer law enforcement the ability
> to piggyback on the conversation from either party's end and read the
> conversation?

The OTR protocol encrypts the messages between Alice's computer and
Bob's computer.  Although the messages still go through the provider's
servers, the provider is unable to read them.

OTR also allows Alice and Bob to verify each other's "fingerprints",
in order to combat so-called "man-in-the-middle" attacks.  [Note that
some other IM encryption mechanisms, such as Trillian SecureIM, don't
provide such protection, and then the IM provider could in fact read the
contents of the supposedly private conversation.]

That having been said, it's still possible for law enforcement or the IM
provider to try to install software, such as a keystroke logger, on your
computer, and steal the messages before they get encrypted in the first
place.

   - Ian



More information about the OTR-users mailing list